#DefCon: Thermostat Control Hacked to Host Ransomware

Thermostat security has been proved to be particularly vulnerable, with ransomware able to infect and run on it.

Presenting at Def Con in Las Vegas on thermostat ransomware, Pen Test Partners’ Andrew Tierney described the discovery as the “first proof of concept of ransomware for a thermostat”. Although the company was not able to disclose details of the manufacturer as work had only finished ten days ago, and the company had not been through disclosure.

Tierney said that the exploits were very simple, but in general Internet of Things (IoT) hacks were simple, as he claimed that they are “often like hacking Linux boxes from the 1990s”.

In this case, Pen Test Partners opted for a US thermostat with a digital screen. Tierney said the device had a custom board, was ARM-based with a JTAG port, which he said “makes it so easy to hack”.

He said that this has an SD card slot, a pin head, an Ash shell and no open ports as it connects to its own cloud service, which could not be tested. “The software is 120MB and there is an Air application so it needs Flash installed, and if you pull firmware out you can see how it operates – there is one big executable that does display the user interface,” he said.

“So we put in a huge executable by loading a 7MB Javascript file, but this is not plain Javascript so you can query the SQL database so it can execute Linux commands.”

Tierney explained that everything runs as root, so you can inject a command. “We got command injection by the SD card, so it was a local attack. With root, you can set off alarm (and set the frequency very high) and can heat and cool at the same time,” he said.

Tierney said that it was able to take the firmware, and it had everything he needed to make it run ransomware. “It heats to 99 degrees, and asks for a PIN to unlock which changes every 30 seconds,” he said. “We put an IRC botnet on it, and the executable dials into the channel and uses the MAC address as the identifier, and you need to pay one Bitcoin to unlick.”

He explained that the attack vector is enabled by adding the SD card, but it was able to replace the 120MB Air app with a 55k .net app.

He said: “You can buy one of these on ebay and there is no way of checking it. It is not difficult [to hack] and I did it in two evenings.”

He said if the firmware had been unreadable – via obfuscation or encryption - to prevent it being modified it would have been harder, and he called on manufacturers to fix vulnerabilities, and stop the code from running as root, as there is no concept of least privilege escalation and it could cause actual damage.

“This is a powerful computer and not segregated and if it is not unconnected, it is a brilliant pivot and if you are inviting people onto [your] network you have no idea what they can do,” he said.